Introducing the Safe Open Supply Pilot Program

Over the previous 12 months we’ve made a lot of investments to strengthen the safety of essential open supply initiatives, and just lately introduced our $10 billion dedication to cybersecurity protection together with $100 million to assist third-party foundations that handle open supply safety priorities and assist repair vulnerabilities.

At this time, we’re excited to announce our sponsorship for the Safe Open Supply (SOS) pilot program run by the Linux Basis. This program financially rewards builders for enhancing the safety of essential open supply initiatives that all of us rely on. We’re beginning with a $1 million funding and plan to develop the scope of this system primarily based on group suggestions.

Why SOS?

SOS rewards a really broad vary of enhancements that proactively harden essential open supply initiatives and supporting infrastructure in opposition to software and provide chain assaults. To enhance present packages that reward vulnerability administration, SOS’s scope is relatively wider in the kind of work it rewards, in an effort to assist undertaking builders.

What initiatives are in scope?

Since there isn’t a one definition of what makes an open supply undertaking essential, our choice course of shall be holistic. Throughout submission analysis we’ll think about the rules established by the Nationwide Institute of Requirements and Expertise’s definition in response to the current Govt Order on Cybersecurity together with standards listed beneath:

  • The impression of the undertaking:
    • What number of and what varieties of customers shall be affected by the safety enhancements?
    • Will the enhancements have a big impression on infrastructure and consumer safety?
    • If the undertaking had been compromised, how severe or wide-reaching would the implications be?
  • The undertaking’s rankings in present open supply criticality analysis:

What safety enhancements qualify? 

This system is initially targeted on rewarding the next work:

  • Software program provide chain safety enhancements together with hardening CI/CD pipelines and distribution infrastructure. The SLSA framework suggests particular necessities to contemplate, comparable to primary provenance technology and verification.
  • Adoption of software program artifact signing and verification. One possibility to contemplate is Sigstore’s set of utilities (e.g. cosign).
  • Undertaking enhancements that produce greater OpenSSF Scorecard outcomes. For instance, a contributor can comply with remediation ideas for the next Scorecard checks:
    • Code-Assessment
    • Department-Safety
    • Pinned-Dependencies
    • Dependency-Replace-Instrument
    • Fuzzing
  • Use of OpenSSF Allstar and remediation of found points.
  • Incomes a CII Finest Follow Badge (which additionally improves the Scorecard outcomes).

We’ll proceed including to the above record, so verify our FAQ for updates. You might also submit enhancements not listed above, should you present justification and proof to assist us perceive the complexity and impression of the work.

Solely work accomplished after October 1, 2021 qualifies for SOS rewards.

Upfront funding is obtainable on a restricted case by case foundation for impactful enhancements of reasonable to excessive complexity over an extended time span. Such requests ought to clarify why funding is required upfront and supply an in depth plan of how the enhancements shall be landed.

take part

Assessment our FAQ and fill out this manner to submit your software.

Please embrace as a lot knowledge or supporting proof as attainable to assist us consider the importance of the undertaking and your enhancements. 

Reward quantities

Reward quantities are decided primarily based on complexity and impression of labor:

  • $10,000 or extra for classy, high-impact and lasting enhancements that nearly definitely forestall main vulnerabilities within the affected code or supporting infrastructure.
  • $5,000-$10,000 for reasonably advanced enhancements that provide compelling safety advantages.
  • $1,000-$5,000 for submissions of modest complexity and impression.
  • $505 for small enhancements that nonetheless have advantage from a safety standpoint.

Trying Forward

The SOS program is a part of a broader effort to deal with a rising fact: the world depends on open supply software program, however widespread assist and monetary contributions are essential to maintain that software program secure and safe. This $1 million funding is only the start—we envision the SOS pilot program as the place to begin for future efforts that can hopefully carry collectively different massive organizations and switch it right into a sustainable, long-term initiative underneath the OpenSSF. We welcome group suggestions and curiosity from others who need to contribute to the SOS program. Collectively we are able to pool our assist to present again to the open supply group that makes the trendy web attainable.

Leave a Comment